Docker Enterprise 3.0 supports worker nodes that run on Windows Server 2019. Only worker nodes are supported on Windows, and all manager nodes in the cluster must run on Linux.
To enable a worker node on Windows:
Install Mirantis Container Runtime on a Windows Server 2019 before joining the node to a Docker Enterprise Cluster.
To configure the docker daemon and the Windows environment:
ucp-agent
, which is named
ucp-agent-win
.ucp-agent-win
.As of Docker Enterprise 2.1, which includes MKE 3.1, this step is no
longer necessary. Windows nodes are automatically assigned the
ostype
label ostype=windows
.
On a manager node, run the following command to list the images that are required on Windows nodes.
docker container run --rm docker/ucp:3.2.5 images --list --enable-windows
docker/ucp-agent-win:3.2.5
docker/ucp-dsinfo-win:3.2.5
On a Windows Server node, in a PowerShell terminal running as
Administrator, log in to Docker Hub with the docker login
command
and pull the listed images.
docker image pull docker/ucp-agent-win:3.2.5
docker image pull docker/ucp-dsinfo-win:3.2.5
If the cluster is deployed in an offline site, where the nodes do not have access to the Docker Hub, MKE images can be sideloaded onto the Windows Server nodes. Follow the instructions on the install offline page to sideload the images. TODO: fix install links to MKE offline install topic
The script opens ports 2376 and 12376, and create certificates for the Docker daemon to communicate securely. The script also re-registers the docker service in Windows to use named pipes, sets it to enforce TLS communication over port 2376 and provides paths to MKE certificates.
Use this command to run the Windows node setup script:
$script = [ScriptBlock]::Create((docker run --rm docker/ucp-agent-win:3.2.5 windows-script | Out-String))
Invoke-Command $script
Note
If you run windows-script
when restarting Docker daemon, the
Docker service is unavailable temporarily.
The Windows node is ready to join the cluster. Run the setup script on each instance of Windows Server that will be a worker node.
The script may be incompatible with installations that use a config file
at C:\ProgramData\docker\config\daemon.json
. If you use such a file,
make sure that the daemon runs on port 2376 and that it uses
certificates located in C:\ProgramData\docker\daemoncerts
. If
certificates don’t exist in this directory, run
ucp-agent-win generate-certs
, as shown in Step 2 of the procedure in
Set up certs for the dockerd service.
In the daemon.json file, set the tlscacert
, tlscert
, and
tlskey
options to the corresponding files in
C:\ProgramData\docker\daemoncerts
:
{
...
"debug": true,
"tls": true,
"tlscacert": "C:\\ProgramData\\docker\\daemoncerts\\ca.pem",
"tlscert": "C:\\ProgramData\\docker\\daemoncerts\\cert.pem",
"tlskey": "C:\\ProgramData\\docker\\daemoncerts\\key.pem",
"tlsverify": true,
...
}
To join the cluster using the docker swarm join
command provided by
the MKE web interface and CLI:
Copy the displayed command. It looks similar to the following:
docker swarm join --token <token> <mke-manager-ip>
You can also use the command line to get the join token. Using your MKE client bundle, run:
docker swarm join-token worker
Run the docker swarm join
command on each instance of Windows Server
that will be a worker node.
The following sections describe how to run the commands in the setup
script manually to configure the dockerd
service and the Windows
environment. dockerd
is the persistent process that manages
containers. The script opens ports in the firewall and sets up
certificates for dockerd
.
To see the script, you can run the windows-script
command without
piping to the Invoke-Expression
cmdlet.
docker container run --rm docker/ucp-agent-win:3.2.5 windows-script
Docker Enterprise requires that ports 2376 and 12376 are open for inbound TCP traffic.
In a PowerShell terminal running as Administrator, run these commands to add rules to the Windows firewall.
netsh advfirewall firewall add rule name="docker_local" dir=in action=allow protocol=TCP localport=2376
netsh advfirewall firewall add rule name="docker_proxy" dir=in action=allow protocol=TCP localport=12376
To set up certs for the dockerd service:
Create the directory C:\ProgramData\docker\daemoncerts
.
In a PowerShell terminal running as Administrator, run the following command to generate certificates.
docker container run --rm -v C:\ProgramData\docker\daemoncerts:C:\certs docker/ucp-agent-win:3.2.5 generate-certs
To set up certificates, run the following commands to stop and
unregister the dockerd
service, register the service with the
certificates, and restart the service.
Stop-Service docker
dockerd --unregister-service
dockerd -H npipe:// -H 0.0.0.0:2376 --tlsverify --tlscacert=C:\ProgramData\docker\daemoncerts\ca.pem --tlscert=C:\ProgramData\docker\daemoncerts\cert.pem --tlskey=C:\ProgramData\docker\daemoncerts\key.pem --register-service
Start-Service docker
The dockerd
service and the Windows environment are now configured
to join a Docker Enterprise cluster.
Note
If the TLS certificates aren’t set up correctly, the MKE web interface shows the following warning:
Node WIN-NOOQV2PJGTE is a Windows node that cannot connect to its local Docker daemon.
The following features are not yet supported on Windows Server 2019:
ucp-hrm
network to make it unencrypted.